Wednesday, November 18, 2015

MegaDownloader and Steganography

From version 1.7 onwards (click here to download a TEST version), MegaDownloader will add the option to hide MEGA links inside JPEG images using a technique called Steganography.

Steganography, according to the Wikipedia, "is the practice of concealing a file, message [...] within another file [...]. 
The word steganography combines the Greek words steganos (στεγανός), meaning "covered, concealed, or protected", and graphein (γράφειν) meaning "writing"."

Thanks to this technique, you will be able to hide, protect and share MEGA links directly from a JPEG image.

How will this option work?

MegaDownloader will allow these two options:
  • Create an image with hidden links.
  • Load links from the previous image and download them.

MegaDownloader will also allow to choose between saving the links in a visible way, or an "invisible" way, so the user that retrieves them will be able to download them, but not see them.

Moreover, links will be protected with a password (optional), so discover the hidden data will be very difficult (or directly impossible).

How does this feature work?

Steganography consists in two steps (normally it is referred as the first one, but in practice both are always applied):
  • Hide the data so an "attacker" doesn't know there is a hidden message.
  • Cipher the data so even if the "attacker" discover there is a hidden message, can't retrieve it.
This second step is easly achieved using cryptography (AES for example). The first step is more complex and depends on the image type.
For Bitmaps, normally the information is hidden in the LSB (less significant byte). A normal user won't be able to retrieve the data or notice there is something hidden. A stegano analyst will use "statistical attacks" in order to determine if there is a message hidden - normally with some degree of success.
However nowadays nobody uses Bitmaps... so what about JPEGs (the most common image format)?

The simpler way is to hide information after the EOF of the JPEG, or inside the EXIF or the comment markers (COM). These methods are trivial, a normal user won't see them easily but a stegano analyst will discover it immediately.

There are more complex techniques for JPEG. For example, hidding information in the DCT matrix.
This is how both Outguess and JSteg works. The bad side is that these methods are old and nowadays are considered broken - using statistical attacks it is possible to detect a message hidden.

A more recent technique called "F5" (an evolution of F3 and F4 algorithms) allow to hide information in the JPEG but makes it much difficult to an analyst to discover the message - it offers a good resistance to statistical attacks.
This algorithm can be broken in some cases using an statistical test called "Chi Square analysis". However, if the message is small enough compared to the container image, the probability of discovering a message is reduced.

So, to sum up, most of the steganographic algorithm are considered "broken", although F5 is one of the most secure. When we say "broken" we mean that an analyst can discover a secret message with a certain probability, but if it is ciphered, then he won't be able to deciphered it without the password - if the cipher algorithm is good, of course.

Which techniques implement MegaDownloader?

First, MegaDownloader uses the F5 algorithm to hide links inside the JPEGs. This ensures that will be very difficult, or even impossible in some cases, to discover a message in the image (the smaller message, the more difficult to discover).
It also distributes the message over the image, using a pseudo-random distribution based on a password, which difficults the analysis.

Second, the message is ciphered, using a 256 bit AES cipher, with a random IV generated with a CSPRNG (Cryptographically Secure PseudoRandom Number Generator).
The key is derived with a PBKDF2 function, using more than 25,000 SHA1 iterations with a salt.

Can this be tagged as "secure"? 
First, consider there is nothing 100% secure (specially for the NSA :p). Taking this into account, we have used some of the most advanced techniques to protect and hide the links inside JPEG images.
The security of the system is based on the password chosen for ciphering the data, so if the password is strong enough, it wouldn't be a mistake say that yes, it could be considered quite secure :)

Can I test it?

Of course! In this link you can download the Development version of the version 1.7.

Want to try?
Download this image (or select the URL), put it into the Steganography window (Options/Retrieve links from an image) and enter the password "Megadownloader".
If you find any problem or bug don't hesitate in posting it so we can help you :)

Thursday, March 19, 2015

MegaDownloader is no longer BETA! Version 1.0 released!!

A new version of MegaDownloader has been released, version 1.0!!

Instead of publishing version 0.93, we decided to release the version 1.0, leaving the "BETA" term.

The main reason for this decision is because MegaDownloader is mature enough to be considered "stable", not a BETA.

MegaDownloader was released on 1st February 2013.
It was the first application for downloading files from MEGA, and the first application that allowed the users to watch online video files.
For these two years, we have continued working on improving, fixing and developing MegaDownloader, and it is stable enough for everyday use.

The main changes of this version are:
- Fixed error when reading folder links
- Fixed filmaffinity and allocine Library support
- Added support for and links

Of course, we will continue working on improving MegaDownloader even more ;)

Tuesday, January 27, 2015

New version v0.90 on the horizon!

A new version 0.90 will be released very soon!

Some changes:

- Support for and

- Added a config backup - some users experimented data loss from an unexpected PC restart in some rare cases. Now the config file is saved twice in order to have a backup.

- Corrected some minor bugs with folders.

- Added support for!xxx links (links from a folder, they are not available through browser but can be downloaded with other managers).

- New mega:// encode (backward compatibility, but not forward; example, a link generated with 0.83 can be used in 0.90, but a link generated in 0.90 can't be used in 0.83). This will enhance link protection!

Keep up to date with the latest news! MegaDownlaoder will popup a reminder when the new version is available for download :)

Thursday, December 11, 2014

QUICKFIX - New version 0.83 to correct bug

MEGA is doing some changes in their SSL certificates. It seems that they are quitting SSL3 because of the POODLE bugs, so it causes problems with MegaDownloader 0.82

I am releasing version 0.83 in order to correct it.

If you want to try it, please download it here. If nobody reports connection problems, I will put it in the download page.

Thanks for your patience.

Monday, April 8, 2013

Integrating ELC into your community


This article will explain how you can integrate the ELC system into your community - using MegaDownloader 0.8
For an overall view of the ELC system, please refer to the article: "Understanding mega:// links", section "ELC links".
Required knowledge: This article presupposes you have some knowledge about cryptography, hashing, BD, and HTTP protocol.

Server validation

ELC requires a server to perform two actions:
- Validate users, so only users of your community will be able to download the files.
- Encode or decode the internal password that will allow users to download the files.

Two pages are required:
- One page to show the users of your community HOW to configure their MegaDownloader/MegaUploader ELC account.
- One page to validate the data and perform the password encode/decode.

User validation

Each user will have two unique codes that will let them identify into your system. You have to provide them to your users using the first page.
The first code is the "Username", a public code that will identify which user wants to download the files.
The second code is the "API-Key", a private code that will validate the user as a valid member of your community.
Apart of that, you should also display to the user the URL of the second page (the one that validates the data).

This API-Key should NOT be the user's password. Using the user's password represents a security issue, because if you don't use SSL, the data will travel unencrypted.
The API-Key should be a code that validates the user for the ELC usage, and nothing else. If a third person gets the user's API-Key, he shouldn't be able to modify the user's account, or anything like that. An API-Key should also be regenerated when the user changes his password.

A good API-Key would be, for example, the hash generated from concatenating  the username and the hashed password stored in your system - normally you store a hash, not the plain password of the user. If the user changes his password, the API-Key will be changed, because the hashed password has been changed.
If you also add a random salt when generating the hash, then security is increased.
Normally communities use a CMS or forum, with their own tables where user data is stored.

For example, if your community DB has a table called "user", with two columns "username" and "password", you could do something like:
1) Get the value of the username and his (hashed) password.
2) Concatenate a random salt string to the username and the (hashed) password (optional but recommended).
3) Generate a hash (preferably a SHA256 or SHA512, it's longer but also more secure than MD5).

This final hash could be the API-Key.

Data process

So, in your first page, the one that displays the user's data to configure his ELC account, you should generate and display the API-Key. The page should also display the Username and the URL of the second page.

The second page will be used internally by MegaDownloader. You can find here a PHP example of this page.
Of course, if your system doesn't use PHP but another language (Java, .NET, etc) you should adapt the example to that language.
This page will receive HTTP POST petitions, so this page should not allow GET petitions - if a user puts this URL in his browser, an error should be displayed because this page is designed to be accesed with a POST petition.

MegaDownloader and MegaUploader will send 4 POST parameters when generating an ELC or when reading an ELC:

- Parameter "USER": Will contain the user's code.
- Parameter "APIKEY": Will contain the user's API-Key.
- Parameter "OPERATION_TYPE": Two possible values: E or C.
- Parameter "DATA": a string containing the data to process.

The first two parameters are used for validating the user; the other two parameters are used for processing the data.

The page will return, in all cases, a JSON response.

If there is an error (invalid user access, invalid data, etc), the page will return this structure:

{"e": "'ERROR DESCRIPTION", "d": ""}

If there is no error, the page will return this structure:

{"e": "", "d": "PROCESSED DATA"}

As you can see, only two parameters are returned: e (error) and d (data). One must be empty and the other filled.

The page will perform two different actions:

- First, it will validate the user by using the data contained in the "USER" and "APIKEY" parameters. If the user is not validated, then an error will be returned and the page won't continue with the second action.

- Once the user has been validated, then the page will process the data (by using the other two parameters "OPERATION_TYPE" and "DATA".

"OPERATION_TYPE" parameter will contain E or C (any other value will cause an error to be returned). E means Encrypt, and D means Decrypt. So basically, you will take the data contained in the "DATA" parameter, and will encrypt it or decrypt it depending on the value of "OPERATION_TYPE".
It's very important to emphasise that the input data of the E operation must be equal to the output data of the D operation, when the E output and the D input is the same. The encryption process must be simmetric!!

The way to implement the encryption/decryption process is up to you. But if you just want "something that works", then you can use the example provided previously.

The example page doesn't contain a "good" implementation of the first action: it just compares the USER and APIKEY values with a constant text. This is because depending on how your community works, you can make one implementation or another; the general idea of how it should work was provided in the previous paragraphs.

However, the second action is fully implemented. In the example, an AES cipher is performed to the data provided. You can use this example "as is", just changing the password at the beginning of the code.
If you prefer, you can implement the proces on another way. You can store the input data in your DB, and return the numeric ID of the inserted row. The decrypt process will receive the numeric ID, and you will retrieve the original information. It's perfectly valid - just take into account that this requires DB access, most resource consuming than performing an AES "on the fly".

How can you test this page?
The simplest way is by using Firefox  + an extension called "POSTER". You can also create a basic HTML form that POST the data to that URL, and open it with a browser. It's up to you.

Easy ELC configuration - Just click!

For users with little knowledge about computers, configuring the ELC can be confusing/difficult. For that reason, a "click once configuration" method has been created.

The idea is that the user click on a link, and MegaDownloader automatically configures the ELC account for the first time. That's all! The user has to do nothing else :D

In the page where you show the ELC information to the user, you should implement a mega:// link to do that. This mega:// link should be like this (copying the link also works if MegaDownloader is configured to detect links from clipboard):

As you can see, it's a mega:// link with the "configelc?" code. After that, there should be 4 parameters, each one separated with a ":" character:
- Parameter 1: The ELC URL of your site, URI encoded (you can do it with Javascript using encodeURIComponent). In this example, the URL is "" (note you can use & or ? if you need it)
- Parameter 2: The user name of the user, URI encoded. In this example "User name" (note it supports spaces and other strange characters).
- Parameter 3: The API-Key of the user, URI encoded. In this example "Api key" (note it supports spaces and other strange characters).
- Parameter 4: This is an optional parameter, you can specify the Alias of the ELC account, URI encoded - in this example "Account alias".

When the user clicks on the link, MegaDownloader will ask the user if he wants to create/update the ELC account. If he says "Yes", then the ELC account configuration will be imported - and he has to enter no data at all!


For users, adding an ELC account should be easy - just clicking on a link.
For developers, creating the ELC pages should be also easy - the ciphering method is provided in the example, and only an user validation system has to be implemented.

Using ELC is a solid and robust system to protect your MEGA links so they can't be reported, and people outside your community can't download them.

Sunday, March 31, 2013

Understanding mega:// links


From version 0.6, MegaDownloader supports mega:// links.
When you click on a mega:// link, MegaDownloader automatically opens and captures the link, so you can download them easily.
In this article, mega:// links will be explained and classified.

Mega links types

There are three basic types of Mega links:

Plain links.

These links contains the ID and the Key, similar to a normal mega link. For example, consider this link:!OFEQ0Y4Z!0123456789wVrs6n7Jyx8-9876543210nkI8MA5Gf4g

The mega:// equivalent link would be:

You can generate your own plain mega:// links just replacing "" by "mega://".

Encoded links.

This links contain the ID and the Key encoded, and the URI has the form "mega://enc?xxx".
These links are generated by both MegaDownloader and MegaUploader, by going to "Options"/"Encode URLs", or by using the right click option "See links" and selecting the "Encode URLs" option.

You can share the encoded links, and MegaDownloader will grab them when you click on them or when you copy them (if you have activated the "Capture links from Clipboard" option).

What's the target of the encoded links? It was designed with the idea of offering a basic link protection, so the user can download the file but can't know the original link.

Please take into account that the level of security offered is not very high. Links are encoded using an AES password, but a high skilled user/hacker can retrieve it and get the original link. However most of the people will not be able to do it: At this moment it is even easier to decrypt a DLC than these encoded links ;)

ELC links.

ELC is the acronym of "Encoded Link Container".

This format, that will be released with MegaDownloader 0.8 and MegaUploader 0.7, is under development, but will offer two features:
  1. Link protection: Users won't be able to know the original link.
  2. Copy protection: Only authorized users will be able to access the file.

This is achieved by using a server to validate the user that tries to download the file. The idea is that each community (forum, etc) have a page to validate users.
When you create an ELC link, you have to select the community (previously configuerd) that will be have access to the links.
Once generated, only users with a valid account in that community will be able to download the files. In this way, even if someone pastes the Mega links outside the community, nobody without a valid account in that community will be able to download the files.

Interally files will be encoded using a random AES password, that will be recodified by the server. So without a valid account, nobody would be able to retrieve the original links, so security is guaranteed. The idea behind ELC is similar to the DLC, with the difference that DLC is public so anyone can download the links inside a DLC; ELC links will be private so only members of a community will be able to download the links.

ELC links can be found as a file (*.elc extension), or as a mega:// link, with the form "mega://elc?xxx".

For using the ELC, each community has to implement two webpages: (1) one for the user, so he can see the URL, user and API-Key he has to enter into MegaDownloader's configuration, and (2) another to validate the users and encode/decode the data.

Do you want to test ELC by yourself?
Well, first you have to download the test version of MegaDownloader 0.8. Then, you have to go to "Configuration", "ELC accounts", and create a new account with this data:
  1. Alias: Put anything you want, it's just an identificative name.
  2. URL: Put the community's URL for the ELC. For this test, use a demo URL "".
  3. User: Put "test".
  4. API-Key: Put "test".

Now you will have configured a "demo" ELC account, so you can download all ELC links generated for this community.

Do you want to try an example? Click on this link, and two files will be added - if you ELC account is correctly configured!

A detailed article will explain it in depth, but meanwhile you can take a look at the source code of the demo page, available here. The encode/decode process is fully implemented (just change the password) but you will have to implement the user's validation.
Two fields will be sent on each petition: user and API-Key. The API-Key should be a code that identifies the user and only he should know it. For security, it should not be the user's password, but something like the hash of the nick + the hashed password stored in your DB, and should be shown on the first page we have commented (where the user sees the URL, user and API-Key, so he can configure MegaDownloader).

MegaDownloader and MegaUploader supports 3 types of mega:// links, with different levels of security, in order to use comfortably MegaDownloader and protect your Mega links :)

Link typeLink protectionCopy protection
Plain linksNoneNone
Encoded linksMediumNone
ELC linksHighHigh

Thursday, February 28, 2013

Watch videos online - streaming tutorial for MEGA.CO.NZ

Quick reference

Some users asked for a shorter version of the text. Here it is!
  1. Download MegaDownloader.
  2. Download VLC Player.
  3. Configure MegaDownlaoder: Go to "Options", "Configuration", "Streaming", check the option "Use streaming server", check the VLC path is correct. You can also check the option "Capture links from clipboard" from the configuration tab "General".
  4. Copy a MEGA link of a video file (avi, flv, mkv, mp4, etc). 
  5. A screen will appear, select "Watch online".
  6. Enjoy!
If you want to read the complete text, here it is!


Do you remember MegaVideo? It was great for watching videos online. And surely you have though: "if only Mega could stream videos...". Of course, videos without copyright :)
Well, there are good news: It is possible to watch online videos by streaming, hosted in MEGA.CO.NZ - using MegaDownloader!!


Remember MEGA has the files encrypted. MEGA is unable to know the content, and is unable to stream videos. 
But... if you know the key to decrypt the file... you could download it, decrypt the video "on the fly", and stream it to someone, couldn't you?
Basically, MegaDownloader downloads, decrypts and streams the video "on the fly" to any destination, using an integrated web-server. 
It's up to you to play the movie, using VLC for example, or any other player that accepts streaming: MegaDownloader gives you a "streaming URL" and you play it wherever you want.

What do I need?

First at all you need MegaDownloader, version 0.5 or newer. You can download it from here: 
Download MegaDownloader.

You also need a player. MegaDownloader is integrated with VLC, and works great: 
Download VLC.

Finally, you need the MEGA URL, with the key!

What if I don't use Windows?

VLC is available in many platforms. 
MegaDownloader works in Windows (and Mac using Parallels). However MegaDownloader acts as a "stream server". 
So you only need a Windows PC (or Mac) for running MegaDownloader, and then use the provided URL to stream the content to any device capable of playing stream videos, using a local network.

How to configure MegaDownloader

You only need to activate the streaming server. 
This is done by going to the configuration screen, and select the tab "Streaming". Check the option "Use streaming server", and check the VLC installation path is correct. Save the configuration. That's all!

That's great... but tell me how to watch videos online!!

Once you have installed and configured MegaDownloader and VLC, just copy into the clipboard a valid MEGA URL (note: the video can't be compressed in a zip or rar). 
If MegaDownloader has the option "Copy from the clipboard" activated, an "Add links" screen will appear, with the selected URL  (if not, open it manually).  

Now you will have two options: add the file to the download queue... or watch it online. Select that option. 
VLC will automatically start. 
After a while (the file download needs to start, and then the player buffer has to be filled) you will be able to watch the video. Please be patient while the video loads.

If you need to play it on other player or remote device, go to the "Streaming" menu, and select the first option "Watch online".
A screen will appear. Paste the link in the first textbox "MEGA URL link" and a new link will appear in the textbox "Streaming URL link". You can use that link into your favourite player :D

Oh, the URL is long... well, in that case it is possible to shorten it, if you need it.

Add the link into your Streaming Library, and the streaming URL will be shorter, with a numeric id. 
In order to add a MEGA URL to the library, go to the "Streaming" menu and select the option "Manage Library". A webpage will appear, and you will be able to add new elements to the library, providing a name, description, image link, etc. 
Once added, go to "Streaming" / "See Library" and you will be able to select easily the desired video... with a shorter link! 
If you play it on a remote device, remember to change the "localhost" path to your local network IP (for both accessing the Library Manager and the Streaming URL).

You can go to the Streaming library at any moment, just remember that MegaDownloader has to be running :)

What formats does it support?

MegaDownloader streams the video, without any type of conversion. So any file that VLC (or your chosen player) can play will be accepted for streaming: AVI, FLV, MKV, etc. Of course you need enough bandwidth for streaming the video. If you have a 128kbps Internet connection don't expect to stream a 20GB MKV file ;)
For streaming large video files, you may also have to configure the player for watching it smoothly (buffer size, etc).


The streaming is a brand new feature in MegaDownloader. 
It's pretty easy to configure it and use it. 
You only need MegaDownloader for streaming, and a player (like VLC) to play the video.
MegaDownloader also has a built-in library, so you can store and play the videos comfortably. In a future article I will explain more details about the built-in library.